providers/ldap: avoid negative caching on flow errors

- direct: map flow/transport errors to LDAPResultOperationsError instead of InvalidCredentials.
- memory: cache only non-OperationsError results; guard against missing flags/session when deriving TTL.

This prevents transient backend/flow failures from being cached as invalid credentials
for a DN/password combination. Successful binds and genuine InvalidCredentials/access
outcomes continue to be cached as before, preserving intended behavior.

Signed-off-by: Christian Albrecht <christian.albrecht@mayflower.de>

Author: calbrecht

internal/outpost/ldap/bind/direct/bind.go

@@ -46,7 +46,7 @@ func (db *DirectBinder) Bind(username string, req *bind.Request) (ldap.LDAPResul
 			"app":          db.si.GetAppSlug(),
 		}).Inc()
 		req.Log().WithError(err).Warning("failed to execute flow")
-		return ldap.LDAPResultInvalidCredentials, nil
+		return ldap.LDAPResultOperationsError, nil
 	}
 	if !passed {
 		metrics.RequestsRejected.With(prometheus.Labels{

internal/outpost/ldap/bind/memory/memory.go

@@ -54,11 +54,13 @@ func (sb *SessionBinder) Bind(username string, req *bind.Request) (ldap.LDAPResu
 	}
 	sb.log.Debug("No session found for user, executing flow")
 	result, err := sb.DirectBinder.Bind(username, req)
-	// Only cache the result if there's been an error
-	if err == nil {
+	// Cache all non-OperationsError results to preserve positive/negative caching
+	// semantics, but avoid caching transient backend/flow failures which surface
+	// as LDAPResultOperationsError.
+	if err == nil && result != ldap.LDAPResultOperationsError {
 		flags := sb.si.GetFlags(req.BindDN)
-		if flags == nil {
-			sb.log.Error("user flags not set after bind")
+		if flags == nil || flags.Session == nil {
+			sb.log.Error("user flags/session not set after bind")
 			return result, err
 		}
 		sb.sessions.Set(Credentials{